On Sep 9, 2006, at 10:40 AM, Scott Kitterman wrote:
On Saturday 09 September 2006 13:26, John Levine wrote:
The best way to help end-users avoid getting phished it to not
accept
phishing messages for delivery. DKIM-SSP where strict policy
statements are published offer a mechanism for this.
I get a message from security(_at_)ebay-verify(_dot_)com(_dot_) It has a valid
signature. I check the SSP for ebay-verify.com, which says "MAJOR
PHISHING TARGET, ACCEPT ONLY WITH SIGNATURE." So I drop it into the
recipient's mailbox with a gold star on it.
What have we just accomplished?
A bad thing. Don't put the gold star on it. That would be a mistake.
That's right.
And, _within the framework we're discussing here_, it's equally
true for mail from any other domain.
I think that that quite strongly demonstrates that discussing
phishing and SSP at the same time is pretty pointless, as SSP
is all about self-declaration, and people who send phish emails
tend not to tell the truth.
Any value DKIM has w.r.t. phishing is to provide a strong proof
of the identity of the sender, allowing some external third
party to verify that it's really a bank / D&B certified business /
registrar / or what have you.
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html